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The present invention relates to a method for providing cryptographic keys which are usable 
in a network of connected computer nodes applying a signature scheme. Further, the present 
invention relates to a method for providing a signature value on a message iu a network of 
connected computer nodes. Moreover, the present invention also relates to a method for 
venfymg a signature value on a message in a network of connected computer nodes. 

BACKGROUND OF THE INVENTION 

Many cryptographic schemes require the generation of a (random) prime each time it is used. 
Examples are signature schemes, group signature schemes, or credential systems, such as the 
so-caHed Cramer-Shoup signature scheme by R. Cramer and V. Shoup "Signature schemes 
based on the strong RSA assumption." In Proc. 6th ACM Conference on Computer and 
Communications Security, pages 46-52. ACM press, Nov. 1999. or the credential system by J 
Camemsch and A. Lysyanskaya in their article "Efficient nontransferable anonymous 
multi-show credential system with optional anonymity revocation." In B. Pfitzmann editor 
Advances in Cryptology - EUROCRYPT 2001, volume 2045 of LNCS, pages 93-118* 
Springer Verlag, 2001. The security of all these schemes is based on the so-called strong RSA 
assumption. More precisely, their security proofs require that each signatures or credentials is 
computed using a unique prime, i.e., the computation of each signature or credential involves 
computing an e-th root where e is said unique prime. The e is also referred to as unique 
exponent in the following. 

Unfortunately, the generation of primes is computationally expensive, especially if they need 
to be large. Because of this, the generation of signatures or credentials in the above mentioned 
schemes becomes computationally involved. 

25 For the generation of primes one could in principle each time choose any integer as unique 
exponent, as long as it possesses a prime factor that does not appear in any unique exponent 
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that was used before. This would require to store all exponents used so far and test the newly 
chosen exponent against these numbers; which, however, is very inefficient. 

From the above it follows that there is still a need in the art that the generation of a signature 
» Simplified for these schemes. Usually, a new prime is necessary each time a signature is 
generated, this is rather inefficient. Wore, it is an object to provide cryptographic keys and 
signature values more efficiently. Each signature value should be verifiable 



GLOSSARY 



The following are informal definitions to aid in the understanding of the description. 

10 pensions (developed with the use of media-independent data) attesting to, or establishing 
the Entity of an entity, such as a birth certificate, driver's license, mother's maiden name' 
social security number, fingerprint, voice print, or other bioruetric parameters). Moreover thJ 
credential comprises information, passed ftom one entity to another, used to establish the 
sendmg entity's access rights. The term certificate is understood as a particular credential 

15 statmg that a certain public key belongs to a certain entity or user. 

Signature: A digital signature consists of one or more values that relate a message to a public 
key.Astgnature can only be produced using the secret key corresponding to the public key. 
The following signs relate to the tenns indicated be S ide and are used within the description. 
A, B, Q D computer nodes 

2 0 P> q primes 

n product of p and q > 

sk secret key being derived from/? and q 

A first random limit 
v interval widths 
25 K v exponent-interval description 
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' exponent interval 

u, I security parameter 

e exponent value 

e 1 random prime 
m message 
*' verification value 
& hash function 

Q** elements having a squaxe root modulo* 

? > «, x elements of QR„ 

y computed signature root value 

signature value 



*• x public values 

">h,x,e',I public key value 

cxponent-iuterva] description V ) 
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random bit-numbers 
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SUMMARY AND ADVANTAGES OF THE INVENTION 

Provided is an efficient scheme for generating a unique exponent or exponent value such that 
it is no longer necessary to generate a new prime for each use of them. 

The scheme uses integers drawn from a particular interval instead of primes. Because 
choosing a random integer is much more efficient than choosing a prime at random, the 
issuing of signatures or credentials in resulting schemes will be more efficient. 

The main observation that allows one to use composites, i.e. non-primes, instead of primes as 
in the above mentioned scheme is that it is in fact sufficient for the schemes' security if each 
unique exponent has a unique prime factor that is sufficiently large. 

10 In general, at first a sufficiently large set of integers is determined such that all the integer, in 
the set have a unique prime factor. Once this set is specified, one chooses as u„i qU e exponent 
a random element from the set. V the set is sufficiently large, one will with high probability 
not select the same element twice. This Is most efficient if the set is an interval. Below it is 
described how to determine intervals such that each integer in the interval has a unique prime 



15 factor. 



In accordance with a first aspect of the present invention, there is given a method for 
proving cryptographic keys usable in a network of connected computer nodes A B C D 
applying a signature scheme. The method executable by a first computer node A comprising 
the steps of: 

20 - generating a random secret key sk; 

■ generating an exponent interval / having a first random limit A, wherein, with a probability 
close to certainty, each element of the exponent interval / has a unique prime factor that is 
larger than a given security parameter I; 

- providing a public key P k comprising an exponent-interval description A, v and a public key 
25 value n t h, x,e'J derived from the random secret key sk, 

such that the random secret key sk and a selected exponent value • from the exponent interval 
/ are usable for deriving a signature value y, /, . on a message m to be sent within the network 
to a second computer node B, C, D for verification. 
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The step of generating a random secret key sk can comprise the use of two primes p and q. 
The product of the two primes can then be part of the public key pk. As this approach is based 
on the hardness of factoring a secure cryptographic system can be achieved. 

In another approach the step of generating a random secret key sk can comprise selecting an 
5 integer value d which defines a class group G and selecting two elements g and z of the class 
group G. As this approach is based on the hardness of computing roots in groups of unknown 
order, a more secure cryptographic system can thus be provided. The step of providing the 
public key pk can then comprise computing a modified public key value d % h y x,e\I under use 
of the selected two elements g and z and the exponent interval /. This is further confirmed by 
10 the hardness of computing roots in groups of unknown order and thus leads to an even more 
secure cryptographic system. 

In accordance with a second aspect of the present invention, there is given a method for 
providing a signature value y, y \ e on a message m in a network of connected computer nodes 
A, B, C, D, the method executable by a first computer node A comprising the steps of: 
15 - selecting an exponent value e from an exponent interval /, wherein each element of the 
exponent interval / has, with a probability close to certainty, a unique prime factor that is 
larger than a given security parameter I; and 

- deriving the signature value y, y\ e from a provided secret key sk, the selected exponent 
value e, and the message m 7 the signature value y, y \ e being sendable within the network to a 
20 second computer node B , C, D for verification. 

The step of deriving the signature value y, y', e can further comprise a computation of the /-th 
root y of a value derived from the message m and the secret key sk using a cryptographic hash 
function H. The i is contemplated as the exponent value i. This allows the design of securer 
I cryptographic systems. 

i 

25 In accordance with a third aspect of the present invention, there is given a method for 

1 verifying a signature value y, y', e on a message m in a network of connected computer nodes 
A, B, C, D, the method executable by a second computer B, C, D node comprising the steps 
of: 
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- receiving the signature value y, y\ e from a first computer node A; and 

- verifying whether an exponent value e is contained in an exponent interval /, wherein each 
element of the exponent interval / has, with a probability close to certainty, a unique prime 
factor that is larger than a given security parameter /, the signature value y, y. , is invalid if 
the exponent value e is not contained in the exponent interval 7. 

The step of verifying can further comprise a computing step of raising a computed signature 
root value y to the power of the exponent value The computed signature root value y forms 
part of the signature value y, y ', e. 
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DESCRimON OF THE DRAWINGS 
FlG.l 



5 FIG. 2 



FIG. 3 c u„ P ° f 1,16 "Mention. 

^ows a flow diagram according to a am 

8 3 of the invention. 

ThC draWiDfiS « Prided for iUustrative oum 

^^^^--inventionrr 6 ^ " * * ~ ^ ~ 
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DESCRIPTION OF EMBODIMENTS 



Fig. 1 shows a typical network with multiple computer nodes A B r n . 
-heco ntempIate ---^^JLC^S 
example of a common computer system 2 wW . „ * ^ ^ 80 

5 hereoffourcomputernodcsA B Tln 7 & ^ ^ r iS ~. It consists 

— - ^es 5 can be an y commotion Sl^Z^ 
or messages from o ne computer node A B C n t , 

par&ipatittg network devices A B C D or „ *"* "** of 

- or cot^te, nKfcs A Y C D I ' iU -* *— — 

A,lB ' L ' D - s «ch communication lines 5 are u,*ii u. 
«• ^ cotnraon compuler systtm 2 5 - - known . , he 

— n-be, gene^on protocol. * SC " Pt ' 0n °' fc foU ° wta S 

15 Thefcltowtag despite i" more d elaU how crvptographfc tevs ,t nt . 

Kasignatorevaloe, y e o nam „ SM . ^ * Pk C " Pr0Vi<ted • "0U 

Cryptographic keys 

With reference to Fig. 2, the generation of a secret kev * . , 
20 described. The secret key sk and the «■ ! * ^ is flow 



a 

executes the 



following steps. At first, as indicated in box 20 a "T^ " 

25 P and 9 « part of ^ m . yme product of two primes 

Ul * indicated „ ta „ w f ?,? """"^ 7 h * a fa < 
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elements from 0/?, and e' a random / + 1 bit prime Let h h. , k v * . 

have ; hire a ■ „• Let /f be a hash function whose outputs 

« ,„ order t „ provide Ae public ley pk „ ^ > " 

Tier*, *. secret tev ^ ffld ^ » « «*- *. * 

***** ^ y „^ immiim . Thi8 si9 , a j , r;~ ;t 

■0 ~- S eoo n dco m p„.C,^^^^ 

In a further embodiment, fce generation of the random seem b,*„ ■ u 

-7-^-.e to ^^ te r;;~~ 

nnder use of to seiected ,wo eietneots f „ , ffld * C L , * " 



As this is baaed on .a hardness of eo^ ^ „ ^ „ f ^ ^ § 
cryptographic system cab be provided. 

20 2LTr W ?^ ted ^ e " S ^^^-^^- talk e 
nerworfc to the second computer node B T r» fi-™. >*■ 

— node A ,e^ s ^^^^f * *— - - 
indicated with box 33. y ' ' x * * as 
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In a further embodiment, the signature value y, /, e can be derived by computing the ,-th root 
y of a value derived from the message m , a,so referred to as computed signature root value y 
and the secret key sk by using a cryptographic hash function H. 

MataraticaJly, ,o sign a message m, toe sipe r. .... the ta computer node ^ cboosK , 

»do m d—ty ta eft mbm o, to casc of class w md _ ^ vaiue{ ^ 

/, and computes a y such that 



15 



20 



that means the computed signature root value y can be determined as foDows 

10 /.. i Wv'/l, 



To verify a signature, one computes x'=/*V< w > and checks 
holds. 



that/^jcA^') and eel 



Bar mean, te vaifying to ^ yalue ^ y , . on ^ ^ m ^ ^ 

aode B, C. D receives the signature value y, y. * as indicated with box 40. from the ft* 

computer node A. The secud computer „„* B. C, D veriiies by using the provided pan of 

d.ep.bbckeyvaiue^^^to^^^jj^^^^^^^^ 

CM . the exponent inrerval / K indicated ^ „ M „ ^ — ^ ^ 

exponent tarerva! / have, witb a proM)iliIy close „ , ^ 

■bat . larger than the given security paramerer The signature vatac y, ,. . is ^ if te 

exponent value e is not contained in the exponent interval /. 

The check comprises computing y- which means that the computed signature root value , tb„ 

> m of to signature value ,, * . b raised ,o the power of rhe exponent value * as .shown in 
the equation above. 
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Choosing an Interval 

In the following is addressed how an exponent interval I can be chosen. The above scheme 
can be shown secure if the interval / contains only few integers that have either a distinct 
prime factor Iarge r than a certain size / or two distinct prime-factors larger than 2* (the 
integers that do not meet these conditions are called (^-smooth) aQ d no integer with the 
largest prime factor smaller than T. Therefore, in order to choose an interval / one need to 
evaluate the probabilities for that whether a randomly chosen interval meets this condition. 

Let n, and n 2 denote the biggest and second biggest prime factor of number «, respectively. 
Define the quantities 

ffx,y) <n*x: n, *yj and ffx,y,z) =#{0 <n*x: n , * y> njSz> ;> 

It can be shown that the probability that randomly chosen interval / = [A, A +2>] contains 
more than 2- integers that are ^smooth is at most 9fA, 2', T) 2™ /A and that ii contains 
no odd integer with a prime factor smaller than T is at most ¥fA, T) ? /A, provided that 
V<W< ^ h0lds - This now «* » Choose the A, t and v (and thereby the interval) 
such that these probabihties are small, i.e., such that / meets the required condition with 
sufficiently high probability. To evaluate the quantities Jfctf and ^ one can use 
bounds on them that are found in literature. 

Any disclosed embodiment may be combined with one or several of the other embodiments 
shown and/or described. Tim is also possible for one or more features of the embodiments. 

20 The present invention can be realized in hardware, software, or a combination of hardware 
■ and software. Any kind of computer system - or other apparatus adapted for carrying out the 
: method described herein - is suited. A typical combination of hardware and software could be 
a general purpose computer system with a computer program that, when being loaded and 
; executed, controls the computer system such that it carries out the methods described herein 
* The present invention can also be embedded in a computer program product, which comprises 
i all the features enabling the implementation of the methods described herein, and which - 
when loaded in a computer system - is able to carry out these methods. 

i 
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Computer program means or computer program in th» ™- . i 

puicr program m the present context mean anv exDre.«i ftn 

-b~» pro c Ksfag capability „ ^ , ^ toc[ioo J 
or bo* of fe foUowiaa a) oo„ve™oo ,o anothor laaa.aaa cod . „ . 



oi/uo uo flu id:2u rAA +41 i /21 oa 01 
CH920020054 



10a LVRiun irv 



■»-♦■» crux rAnsius igiuzu 
020 31.03.2003 14:22:15 



13 



CLAIMS 

1. 



A method for providing cryptographic keys (sk, pk) usable in a network of connected 
computer nodes (A, B, C, D) applying a signature scheme, the method executable by a 
first computer node (A) comprising the steps of: 
5 - generating a random secret key (sk); 

- generating an exponent interval (/) having a first random limit (A), wherein, with a 
probability close to certainty, each clement of the exponent interval (/) has a unique prime 
factor that is larger than a given security parameter (/); 

• providing a public key (pk) comprising an exponent-interval description (A, v) and a 
10 public key value (n,h,x,e\I) derived from the random secret key (sk), 

such that the random secret key (sk) and a selected exponent value (*) from the exponent 
interval (7) are usable for deriving a signature value (y, y', e) on a message (m) to be sent 
within the network to a second computer node (B, C, D) for verification. 



15 2. The method according to claim 1, wherein the step of generating a random secret key (sk) 
comprises using two primes (p, q), the product of which is part of the public key (pk). 

3. The method according to claim 1, wherein the step of generating a random secret key (sk) 
comprises selecting an integer value (d) defining a class group (G) and selecting two 
elements (g, z) of the class group (G). 

20 4. The method according to claim 3, wherein the step of providing a public key (pk) 
comprises computing a modified public key value (d, h, x, e>, I) under use of the selected 
two elements (g, z) and the exponent interval (I). 
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5. A method for providing a signature value fy, ,) on a raessage k a ^ 

connected computer nodes (A, B, C, D), the method executable by a first computer node 
(A) comprising the steps of: 

- -ha* an exponent vame W from an Mpone „ intavaI ft ^ ^ 
the exponent nerval W has, with , polity clo8e „ ^ , ^ ^ 
ttat is larger ta a given sreurity parameter (i); ajj 
• «vin g the signature vatoe fc ,. „ from , p[ovidcd ma tey 

t ? " " ^ (m) ' * ma val " e <* * * — * 

wthtn eta network to a second computer node (B, C, D) f„ r verified 

e) father comprises a computation of the M, M w of . value ^ ' ' 

W " 11,6 "* "* <* «*• ■ «VP» hash Action flft to , being 
the exponent value ({), g 



X A medmd fc verifying . ^ ^ fc y _ ^ ^ § ^ ^ ^ ^ 

connect* computer nodes (A.B.C.D), the mem* amabk hy a second computer <B 
uj node comprising the steps of: 

- receiving the signature value (y, y< ,) f rom a fir,, computer node (A); ^ 

- verifying whether an exponent value (e) is contain i« 

r ^uc ie; is contained in an exponent interval (I) wherein 
each eiemen, of the exponent interval „ has, with a p MbaH% close t0 ^ 
tmtque pnme factor that is la^er than a given security parameter «fc the aig^re 1 
(y.V.OumvaJtdifthe exponent vaine (e, is no, eo„ tttae d in me exponent in,^ ». 
• B. method acco^ w claim 7 , whmin ^ ^ ^ ^ ^ 

computmg step of raising , competed signature roc, vame W ma, ^ ^ „ f ^ 
signature value &./,«) to the power of the exponent value (e). 

A computer program eiemen, comprising program c*e means for pertbtming a method 
of any one of me claims 1 to 8 when said program is run on a compute,. 
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10. A computer program product stored on a computer usable medium, comprising computer 
readable program means for causing a computer to perform a method according to anyone 
of the preceding claims 1 to 6. 

5 IL A computer device (A ? B, C, D) comprising: 

a computer program product according to claim 9; and 

a processor for executing the computer program product when the computer program 
product is run on the computer device. 
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Abstract 



RANDOM NUMBER INSTEAD OF RANDOM PRIME 



I* present invention relates to a method for providing olographic keys which are usable 
» . network of connected computer nodes applying a signature scheme. Further, the present 
mention re ,ates to a metho d for providing a signature value on a message in a network of 
conned computer nodes and a method for verifying te signature value on ^ 

[Fig. 2] 



